Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

New Secure Online Check-Out Tech Goes For Less Friction, More Biometrics

BioCatch, Zumigo, and Alibaba release tools to help merchants avoid those pesky charge-back costs.

While point-of-sale systems at brick-and-mortar stores continue to be a rich feeding ground for data-hungry hackers, some merchants are at least beginning to take the security of their online shops seriously. The altruistic goal of protecting customers might not provide enough inspiration, but the goal of avoiding the costs of expensive charge-backs on fraudulent purchases does.   

Yet, retailers are historically resistant to increased authentication and authorization measures, because they increase "friction" -- meaning, they make the purchasing process longer and more complicated for the buyer, thereby making the buyer more likely to give up and go elsewhere.

Fortunately for those merchants, the industry has released a few new security tools over the past week that aim to improve security without increasing -- perhaps even reducing -- customer friction. 

BioCatch e-Commerce

This week, Israel-based startup BioCatch expanded the e-commerce offering of its "passive biometrics" technology. The technology collects behavioral data from a user's endpoint input devices -- keyboards, mouses, accelerometers, etc. -- and paints a picture of the user's very unique, but completely unconscious habits. As DarkReading explained in an interview with BioCatch in July: 

They capture physiological behaviors like whether the user is left-handed or right-handed, the duration of their hand tremor, the size of their finger press, their hand-eye coordination, and their muscle structure. They capture cognitive indicators like how a user scrolls through a screen -- do they click the mouse, click and drag the mouse, use the arrow keys, use page up and page down, etc. -- how they interact with certain applications, and how they move the cursor -- quick and direct, slow and circuitous, curving up, curving down.

Then the BioCatch application issues "invisible challenges." The application may speed up or slow down how fast a selection wheel moves, or nudge a cursor in one direction, or create a "force field" that requires a user to press a touchscreen more firmly, and then see how the user responds.

All of those factors are combined into a "cognitive signature," which can then be used for "passive biometric" authentication or fraud detection.

This technology is particularly good at spotting the difference between a human being and a robot, or one human being and another. 

The company says the e-commerce solution can also be used to tell the difference between regular behavior and criminal behavior.

“When making purchases online, fraudsters behave differently than legitimate consumers. Whereas most of us take some time to adjust to a site’s specific checkout process, fraudsters breeze through it with a high familiarity level because they have done it tens or hundreds of times before,” said Uri Rivner, VP Cyber Strategies and Co-founder at BioCatch.

Smile To Pay

Last week, Alibaba both introduced a new biometric authentication mechanism to the payment world and tried to bring some joy to the task of parting with one's money, by announcing Smile to Pay.

Alibaba founder Jack Ma demoed the product at the CeBit conference in Hanover, Germany. The details thus far are minimal, but the gist is, when a purchaser presses "buy," a facial recognition interaction is initiated; essentially the buyer completes a purchase by holding their phone up for a quick selfie.

The name Smile to Pay is appropriate when buying gaming systems or new shoes; less so when paying exorbitant mobile phone bills, but don't worry -- you don't actually need to smile. 

Smile to Pay is being tested by Ant Financial, an Alibaba affiliate that uses the Alipay oline payment system. Alibaba plans to roll-out the service first in China.

Zumigo Assure Payments 

Zumigo released a new tool this week, Zumigo Assure Payments, to improve verification of identities of buyers making purchases from mobile devices.

Partnering with mobile operators and Equifax, Zumigo can check the billing records of the mobile device being used to conduct the purchase, and check to see whether or not the identity of the mobile user and the identity on the buyer's payment card match. If they do, it's a lower-risk purchase; if they don't, it's higher-risk.

The Zumigo tool also zeroes in on the real-time location of the mobile devices, compares them against the IP address, and the shipping/billing addresses of the buyer. The closer the match, the lower the risk.

While the partnership with the mobile operators could reduce fraud, customers and privacy advocates may balk; it could be seen as another case of mobile operators playing fast-and-loose with customers' identity and location data.

Yet, privacy complaints may go ignored, if both security and convenience are well served. Last week, Facebook built upon its Messenger app -- which has also been criticized by privacy advocates -- to create a peer-to-peer payment application for Messenger users to send money to one another directly.

According to data released today by SecurityMetrics, six out of 10 merchants still store, unencrypted, payment cards' 16-digit primary account numbers. Further, 7 percent store the full magnetic stripe data, including PAN, cardholder name, expiration date, CVV, PIN, and service code. With data like that floating around, new payment security technology can't come soon enough.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
3/25/2015 | 11:58:45 AM
Smile to Pay is a clever marketing strategy, I must say. As we know, the more brick-and-mortar PoS gets locked down, the more the bad guys will redirect attacks to ecommerce shopping. 
User Rank: Apprentice
3/24/2015 | 11:50:54 PM
I don't do selfies
I'll just shop somewhere else if a store wants me to send a selfie with my payment. As for Zumigo, will we be aware that the merchant using this has access to our mobile billing records? It's terrifying that merchants have records of so much of our credit card information, there for the hacking. Our information is not any safer with online merchants either.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...